Adobe Reaches $1 Million Data Breach Settlement With Indiana, 14 Other States

Indiana Attorney General George Jepsen on Thursday joined 14 other state attorneys in announcing a $1 million data breach settlement with software and technology company Adobe Systems, Inc.

The settlement resolves an investigation into the 2013 breach of certain Adobe servers, including servers containing the personal information of approximately 552,000 residents of the participating states.

In September 2013, Adobe received an alert that the hard drive for one of its application servers was nearing capacity. In responding to the alert, Adobe learned that an unauthorized attempt was being made to decrypt encrypted customer payment card numbers maintained on the server.

Adobe stopped the decryption process, disconnected the server from the network, and found the attacker had compromised a public-facing Web server and used it to access other servers on Adobe’s network. The attacker ultimately stole encrypted payment card numbers and expiration dates, names, addresses, telephone numbers, e-mail addresses, and usernames as well as other data.

The states alleged that Adobe did not use reasonable security measures to protect its systems from an attack or have proper measures in place to immediately detect an attack. The agreement resolves consumer protection and privacy claims against the company and requires Adobe to implement new policies and practices to prevent future similar breaches.

“Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access,” said Jepsen. “Adobe worked in good faith with my office and the states affected by this incident to better protect consumer information going forward, and for that it deserves some credit.”